An Coimisiún um 
Chosaint Sonrai 
Data Protection 
Commission 


Mr Juan Fernando LOPEZ AGUILAR, 

Chair, 

Committee on Civil Liberties, Justice and Home Affairs, 
European Parliament 


By email only for the attention the Chair: libe-secretariat@ep.europa.eu 


cc : Committee Shadow Rapporteurs 


12 March 2020 


Dear Sir 


| refer to my letter to you of 09 February 2021, in relation to the Committee’s consideration of the 
Judgment of the Court of Justice of the European Union in Case C-311/18, Data Protection Commission 
v. Facebook Ireland Limited & Maximillian Schrems, as reflected in the Committee’s Draft Motion for a 
Resolution, Reference No. 2020/2789(RSP). 


Whilst | have not received a reply to my letter, | understand that the process by which the Resolution 
will be finalised for adoption by the Committee is continuing. In that regard, | note that a List of 
Proposed Amendments was published on 3 March 2021. 


Relatedly, | note that the Committee is separately preparing to finalise a Draft Motion for a Resolution 
in relation to its consideration of the European Commission’s evaluation report on the implementation 
of the General Date Protection Regulation, two years after its implementation (Draft Motion Reference 
No. 2020/2717(RSP). It is my understanding that this latter resolution will be finalised and adopted at 
the Committee’s meeting scheduled for Monday, 15 March 2021 and Tuesday, 16 March 2021, a List 
of Proposed Amendments having been published on 3 February 2021. 


Accepting, without question, the right of elected members of the Committee to give full expression to 
the views they hold, and likewise fully respecting the right (and, indeed, duty) of Committee members 
to articulate, freely, the concerns of the citizens they represent, | wish to record my disappointment 
that (as now appears), both Draft Resolutions will be finalised and adopted without the Committee 
taking up my offer to engage with the Committee. In that regard, you will recall that, in my letter of 09 
February last, | expressed concern that, in certain respects, positions advanced by or on behalf of the 
Committee in Draft Resolution 2020/2789(RSP) appear to be grounded on facts that are inaccurate and 
incomplete, and on assumptions that are both wrong, and remain untested. 
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Whilst my letter was directed solely to the contents of Draft Resolution 2020/2789(RSP), | note that 
particular elements of that resolution are also reflected in amendments proposed to Draft Resolution 
2020/2717(RSP). In that regard, | note, for example, that some Committee members have proposed 
amendments to paragraph 11 of the resolution, concerning the length of time taken by some DPAs to 
investigate individual cases. The purpose of the amendments now proposed is to identify this office as 
a DPA deserving of particular criticism in that connection. 


Emphasising that my office in no sense seeks to shield itself from criticism, and recognising (and fully 
accepting) the critical importance of the Committee’s work in shining a light on those elements of the 
GDPR that are not working well in practice, | nonetheless take issue with an approach to such matters 
that proceeds, not on the basis of a complete set of facts, properly established, but on untested 
assumptions, at least some of which are informed, it appears, by views expressed by parties external to 
the Committee. 


To be clear, | believe there is considerable force to observations made by members of the Committee 
in relation to the uneven levels of enforcement evident amongst the supervisory authorities of Member 
States across the Union. Equally, the absence of uninform procedures, applicable to all cases involving 
cross-border processing wherever they may be handled, presents significant challenges for effective 
enforcement; the same can be said of differences in approach amongst DPAs in relation to the levels at 
which administrative fines should properly be levied. The emphasis on administrative fines, to the 
exclusion of other remedies - such as the imposition of bans on processing - presents another example 
of the adoption of practices by DPAs collectively that rightly attract fair criticism. 


It is my view that the position of DPAs across the Union on these issues, both individually and 
collectively, is properly the subject of scrutiny by the Committee. Equally, DPAs must be accountable 


for their respective records on issues relating to enforcement. 


It was precisely to facilitate such levels of scrutiny, and such accountability, that | offered to engage 
with the Committee in such manner and in such forum as it considers appropriate. 


| did so because | recognise, and accept, that, by holding DPAs to account, barriers to the proper and 
effective protection of the rights of data subjects may be identified and addressed, whether those 
barriers are the product of structural or systemic problems within the systems of enforcement laid 
down by the GDPR, or whether they reflect inadequate resourcing of DPAs by individual Member States, 
or whether they are simply the result of poor performance on the part of DPAs, either at an individual 
level, or, collectively, in the context of the operation of the co-operation and consistency mechanisms 
set out in Chapter VII of the GDPR. 


Critically, however, the Committee’s capacity to achieve these ends is contingent upon it securing 
access to accurate and complete information, sufficient to ensure that it: 
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- develops a fulsome understanding of the issues at hand, reflective of the experience of all 
relevant stakeholders and not just some of them; 


- is equipped to test (and does in fact test) all of the views presented to it; 


- identifies and strips away the kinds of assumptions that would otherwise undermine its 
analysis; and, 


- ultimately achieves a reasonable level of depth in its analysis. 


As outlined in my letter of 09 February last, | am concerned that the Committee, or some of its 
members, have formed judgments that are not the product of any kind of rigorous and informed 
analysis, as evidenced by the inclusion, in the context of a resolution nominally directed to the 
Committee’s consideration of the CJEU judgment of 16 July 2020, of statements to the effect that the 
Commission should bring infringement proceedings against Ireland on the basis that, by reference to 
unparticularised assertions relating to the performance of my office, Ireland is “not properly enforcing 
the GDPR.” 


Without repeating specific points addressed in my earlier letter in this connection, the Committee may 
wish to examine and consider the following select matters when formulating their respective positions 
on such matters: 


- Some two hundred thousand multi-national companies — including large insurance and 
financial services firms, publishing houses, media corporations and data brokers, operate 
within the member states of the EU, a small fraction of whom are based in Ireland. All of those 
organisations engage in cross-border processing; many, if not most, also transfer data to third 
countries. We can say with some certainty, therefore, that personal data relating to citizens 
throughout the Union are routinely the subject of cross-border processing on a systemic basis, 
with all of the risks attendant upon such activities. While it is of course true that many (but not 
by any means all) social media platforms are headquartered in Ireland, it is surely worthy of 
examination as to why Article 60 decisions are not being presented by DPAs across the Union 
on systemic areas of risk relating to the cross-border processing for which those DPAs bear 
supervisory responsibilities. To be clear, the DPC does not raise this question by way of criticism 
of its colleagues. To the contrary, it is raised because it is necessary to test casual assumptions 
to the effect that the only controllers to be considered in the context of a debate around 
enforcement, and the only controllers to be considered when assessing the nature and extent 
of the risks to which the personal data of EU citizens are exposed, are those limited number of 
internet/social medial companies headquartered in Ireland. On any assessment, an entirely 
selective approach of this nature cannot be said to be rational, not least because it discloses 
far too narrow a view of the problems at hand, the result of which would be to permit 
substantial amounts of unlawful processing to continue, unchecked. 
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In my previous letter, | noted that, following the delivery of the CJEU’s judgment of 16 July 
2020, the DPC alone amongst its colleagues has taken regulatory action to ensure the proper 
application of the Court’s findings in practice. Consistent with the views expressed by some 
members of the Committee in the context of their exchanges around the draft resolutions 
presently the subject of debate, the DPC has identified that, if, at the conclusion of its 
regulatory process, preliminary views expressed by the DPC on the application of the CJEU’s 
findings to transfers by Facebook are upheld, the appropriate regulatory response should 
include provision for the imposition of a ban on processing. Against that backdrop, it is not 
without irony that the regulatory process in question (in which the data protection rights of 
millions of EU citizens are engaged) was stayed (frozen) in the context of legal proceedings 
brought by the only person, external to the Committee and the institutions of the EU, from 
whom the Committee elected to hear in open session in connection with its examination of the 
CJEU judgment. 


On the question of sanctions, the DPC notes that one of the amendments tabled to the 
Committee’s draft resolution on the two-year review of the GDPR lauds the German authorities 
for adopting a unform methodology to the application and calculation of administrative fines. 
The Committee should, however, be aware that the methodology in question has in fact been 
overruled by the German Courts. It is equally of note that several fines levied by supervisory 
authorities in Germany have been reduced or set aside by the Courts of that jurisdiction in 
recent months.? Again, to be clear, none of this is intended as criticism of the approaches 
adopted by German supervisory authorities to issues around sanction. It does, however, 
illustrate that challenges are being experienced by all DPAs in their dealings with a new legal 
framework, and that national courts are not always interpreting the law in the same way as 
DPAs. 


To the extent that some members of the Committee — and some commentators external to the 
Committee - may wish to frame the debate solely by reference to a particular, and narrow, sub- 
group of controllers, it should also be noted that, in December 2020, the DPC transmitted a 
draft decision to the EDPB (under the Article 60 procedure) in relation to WhatsApp. That 
procedure remains ongoing at “Concerned Supervisory Authority” level, with the DPC presently 
assessing the (frequently conflicting) objections received from other DPAs. It is anticipated that 


1 https://blogs.dlapiper.com/privacymatters/germany-bonn-regional-court-overrules-gdpr-fining-guidelines-by- 


german-data-protection-authorities/ 


https://www.dataprotectionreport.com/2021/02/deutsche-wohnen-fine-now-declared-invalid-by-a-german- 
court/#:~:text=Deutsche%20Wohnen%20fine%20now%20declared%20invalid%20by%20a%20German%20court 


y%20Christoph%20Ritzer&text=There%20has%20been%20a%20big, has%20just%20been%20declared%2O0invali 
d.&text=The%20Regional%20Court%20(Landgericht)%20of,invalid%20and%20closed%20the%20proceedings. 
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a further group of cases, again directed to the sub-group of controllers on whom some 
commentators are fixed, will be submitted to the Article 60 proceedings as 2021 progresses. 


- The DPC’s experience of the application of the procedures laid down in Articles 60 and 65 of 
the GDPR in relation to its decision on Twitter may be of interest to Committee members. Those 
members of the Committee who have read the published Article 60 and Article 65 decisions 
will get a better sense of some of the challenges associated with the operation, in practice, of 
the “One-Stop-Shop” concept. The process is undoubtedly cumbersome, and slow, albeit that, 
at least in part, that is the product of failure on the part of some DPAs to understanding key 
concepts, including, most obviously, the purpose and role of the “Relevant and Reasoned 
Objection” procedure. As well as adding to the duration of the process, the submission of 
conflicting objections by multiple DPAs also belies the suggestion that the application of GDPR 
principles in individual cases is always easy and straightforward, and that the answers to the 
questions posed by data subject complainants are obvious. For completeness, the Committee 
will observe that the EDPB rejected most of the objections received in relation to the DPC’s 
draft decision. 


- Whilst the Committee has focused its attention on the GDPR, it is of course the case that a new 
Law Enforcement Directive also came into force on 25 May 2018. The DPC notes that several 
EU Member States are now the subject of infringement proceedings for their failure to 
transpose that directive into national law. For its part, the DPC has already made several 
decisions of significance under this particular framework, details of which can be found on the 
DPC’s website. 


Against the backdrop of these points — presented on an illustrative basis only — it will readily be 
understood that, in truth, the debate around issues of enforcement, at least as conducted to date, lacks 
any real depth and will ultimately contribute little to the protection of EU citizens’ interests in the area 
of data protection. In the rush to adopt positions critical of individual DPAs (most obviously the DPC), 
an objective, evidence-based approach has all too quickly been abandoned in favour of assumption and 
sound-bites. This is regrettable. Equally regrettable is the fact that such positions are being adopted, 
without first affording my office any opportunity to be heard in relation to the matter. On any objective 
view, that cannot be said to be consistent with basic requirements of fairness. 


The concerns | sought to outline in my letter of 09 February are deepened by certain of the 
amendments now proposed to Draft Resolutions 2020/2789(RSP) and 2020/2717(RSP), respectively, 
and by the fact that, rather than engaging with — or even acknowledging - my earlier letter, it appears 
the Committee is intent on proceeding along its existing course. Moreover, it appears that some 
Committee members are willing to compound matters by seeking, even at this late stage, to introduce 
new criticisms. By way of single example, it appears from Amendment #91 (relating to Draft Resolution 
2020/2717(RSP)), that, without any examination of the operation of the cooperation procedures laid 
down at Article 60 GDPR, my office — and my office alone - is to be held accountable for the “great 
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concerns” it is said must be expressed over the functioning of the “one stop shop”. The Committee is 
also invited — by means of the same amendment — to endorse an assertion to the effect that the Irish 
DPA “closes by far most cases with a settlement instead of asanction.” Quite apart from the inaccuracy 
of this most bald and unparticularised of assertions, the text of the proposed amendment reveals a 
fundamental misunderstanding of the complaint-handling task assigned by the GDPR to each individual 
DPA. 


For completeness, it would be remiss to allow Proposed Amendment #94 (also relating to Draft 
Resolution 2020/2717(RSP)), to pass without remark. My office deplores the prejudice so casually 
expressed by the elected member and invites the Committee to reflect upon the obvious disconnect 
between the kind of leadership expected — and required - of all those operating in the political sphere, 
and the invocation of offensive stereotypes of this type. 


Conclusion 


| remain at the disposal of the Committee if it considers that it would be helpful to hear directly from 
my office and/or to test some or all of the views expressed by the Committee or individual members 
by examining, first-hand, those responsible for the discharge by the Irish DPA of its regulatory 
enforcement functions. Pending such engagement, and in the interests of basic fairness, | must again 
ask the Committee, through your good offices, as Chair, to reflect on the observations | have made on 
the draft resolutions referred to. 


Yours sincerely 


J, d 
fdd 


Helen Dixon 


Commissioner for Data Protection (Ireland) 
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